Closed K4S1 closed 1 year ago
Likely your destination host is only supporting TLSv1.0 and you are using a TLSv1.2 only openssl-3 configuration:
https://github.com/openssl/openssl/issues/19867
Possible workaround is setting the seclevel to 0 in openssl: -cipher DEFAULT@SECLEVEL=0
I just updated a new version with a better error message. E.g.
$ ./check_ssl_cert --host imap.cern.ch --port 993
SSL_CERT_CRITICAL imap.cern.ch: Legacy signature algorithm unsupported or disallowed
And an option to set the security level as suggested by @lukastribus
$ ./check_ssl_cert --host imap.cern.ch --port 993 --security-level 0
SSL_CERT OK - imap.cern.ch:993, https, x509 certificate 'mmm.cern.ch' (imap.cern.ch) from 'Sectigo Limited' valid until Nov 12 23:59:59 2023 GMT (expires in 300 days)|days_chain_elem1=300;20;15;; days_chain_elem2=2906;20;15;; days_chain_elem3=2176;20;15;;
$ ./check_ssl_cert --host imap.cern.ch --port 993 --security-level 1
SSL_CERT_CRITICAL imap.cern.ch: Legacy signature algorithm unsupported or disallowed
$ ./check_ssl_cert --host imap.cern.ch --port 993 --security-level 3
SSL_CERT_CRITICAL imap.cern.ch: Unsupported TLS protocol version
$ ./check_ssl_cert --host imap.cern.ch --port 993 --security-level 4
SSL_CERT_CRITICAL imap.cern.ch:993: TLS handshake error
@K4S1 Dear Kasper, this is as much as I can do without testing.
@matteocorti Thanks, this was precis the change I needed for for everything to work in my end.
Confirmed working. Great fix, more scalability, Easy to understand output ! Love it.
Thanks for your help, and a great script.
Describe the bug I see following Error output when polling a host of ours: CRITICAL error: SSL error: 48EB1D6C967F0000:error:0A0C0103:SSL routines:tls_process_key_exchange:internal error:ssl/statem/statem_clnt.c:2254:
To Reproduce
Not completly sure myself only have this error on a single host. But Can't deliver information about the host. I am able to do test towards the host, without expose it.
Expected behavior
No internal Error output
System (please complete the following information):
openssl version
): OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022)Additional context/output
Add any other context or output (e.g., from
check_ssl_cert -d -v
) about the problem here.Hi have tried to do my best herebut have not been able to find the root cause of the error. But Not sure if this can be delt with here or I need to do changes to my docker image to fix.
Thanks for a great Script !